I have a firewall that has 3 IP aliases on 1 physical interface. Packets get dropped between these 3 interfaces (either ICMP, HTTP, or anything else). We tracked it down to these packets being marked INVALID in the FORWARD rule and dropped due to the this rule:

1 Answer
1

The INVALID state means that the packet is not associated with a known connection (and isn't starting a new connection either). The only reasons I can think of is that something is clearing the connection tracking table, the table is overflowing, or the entries are timing out too quickly. You can check the size of the connection tracking table with sudo conntrack -L | wc -l and the maximum number of entries with cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max.

The conntrack is not full. Which parameter could cause a timeout?
–
ℝaphinkOct 25 '12 at 7:22

@ℝaphink There are numerous timeout parameters for different situations, have a look in /proc/sys/net/ipv4/netfilter/. ip_conntrack_generic_timeout is probably the most important one.
–
mgorvenOct 25 '12 at 16:42